Total
310690 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8684 | 2 Uxthemes, Wordpress | 2 Flatsome, Wordpress | 2025-09-05 | 6.4 Medium |
| The Flatsome Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.20.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-58796 | 2025-09-05 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dudaster Elementor Element Condition allows Stored XSS. This issue affects Elementor Element Condition: from n/a through 1.0.5. | ||||
| CVE-2025-58881 | 2025-09-05 | 8.5 High | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus New Simple Gallery allows Blind SQL Injection. This issue affects New Simple Gallery: from n/a through 8.0. | ||||
| CVE-2025-58880 | 2025-09-05 | 6.5 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in reubenthiessen Translate This gTranslate Shortcode allows Stored XSS. This issue affects Translate This gTranslate Shortcode: from n/a through 1.0. | ||||
| CVE-2025-58179 | 1 Withastro | 1 Astro | 2025-09-05 | 7.2 High |
| Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URLs it receives, allowing content from unauthorized third-party domains to be served. a A bug in impacted versions of the @astrojs/cloudflare adapter for deployment on Cloudflare’s infrastructure, allows an attacker to bypass the third-party domain restrictions and serve any content from the vulnerable origin. This issue is fixed in version 12.6.6. | ||||
| CVE-2025-58847 | 2025-09-05 | 7.1 High | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Yaidier WN Flipbox Pro allows Reflected XSS. This issue affects WN Flipbox Pro: from n/a through 2.1. | ||||
| CVE-2025-58820 | 2025-09-05 | 5.9 Medium | ||
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Carousel Ultimate allows Stored XSS. This issue affects Carousel Ultimate: from n/a through 1.8. | ||||
| CVE-2025-58361 | 1 Promptcraft-forge-studio Project | 1 Promptcraft-forge-studio | 2025-09-05 | 9.3 Critical |
| Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions contain an non-exhaustive URL scheme check that does not protect against XSS. User-controlled URLs pass through src/utils/validation.ts, but the check only strips `javascript:` and a few patterns. `data:` URLs (for example data:image/svg+xml,…) still pass. If a sanitized value is used in href/src, an attacker can execute a script. There is currently no fix for this issue. | ||||
| CVE-2025-7445 | 1 Kubernetes | 1 Kubernetes | 2025-09-05 | 6.5 Medium |
| Kubernetes secrets-store-sync-controller in versions before 0.0.2 discloses service account tokens in logs. | ||||
| CVE-2025-41408 | 2 Google, Ly Corporation | 2 Android, Yahoo! Shopping App | 2025-09-05 | N/A |
| Improper authorization in handler for custom URL scheme issue in "Yahoo! Shopping" App for Android versions prior to 14.15.0 allows a remote unauthenticated attacker may lead a user to access an arbitrary website on the vulnerable App. As a result, the user may become a victim of a phishing attack. | ||||
| CVE-2025-55037 | 2025-09-05 | N/A | ||
| Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, an arbitrary OS command may be executed by a remote unauthenticated attacker if the settings are configured to construct messages from external sources. | ||||
| CVE-2025-55671 | 2025-09-05 | N/A | ||
| Uncontrolled search path element issue exists in TkEasyGUI versions prior to v1.0.22. If this vulnerability is exploited, arbitrary code may be executed with the privilege of running the program. | ||||
| CVE-2025-55305 | 1 Electron | 1 Electron | 2025-09-05 | 6.1 Medium |
| Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions below 35.7.5, 36.0.0-alpha.1 through 36.8.0, 37.0.0-alpha.1 through 37.3.1 and 38.0.0-alpha.1 through 38.0.0-beta.6, ASAR Integrity Bypass via resource modification. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is fixed in versions 35.7.5, 36.8.1, 37.3.1 and 38.0.0-beta.6. | ||||
| CVE-2025-55739 | 1 Freepbx | 1 Freepbx | 2025-09-05 | N/A |
| api is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions lower than 15.0.13, 16.0.2 through 16.0.14, 17.0.1 and 17.0.2, there is an identical OAuth private key used across multiple systems that installed the same FreePBX RPM or DEB package. An attacker with access to the shared OAuth private key could forge JWT tokens, bypass authentication, and potentially gain full access to both REST and GraphQL APIs. Systems with the "api" module enabled, configured and previously activated by an administrator for remote inbound connections may be affected. This issue is fixed in versions 15.0.13, 16.0.15 and 17.0.3. | ||||
| CVE-2025-58353 | 1 Promptcraft-forge-studio Project | 1 Promptcraft-forge-studio | 2025-09-05 | 8.2 High |
| Promptcraft Forge Studio is a toolkit for evaluating, optimizing, and maintaining LLM-powered applications. All versions of Promptcraft Forge Studio sanitize user input using regex blacklists such as r`eplace(/javascript:/gi, '')`. Because the package uses multi-character tokens and each replacement is applied only once, removing one occurrence can create a new dangerous token due to overlap. The “sanitized” value may still contain an executable payload when used in href/src (or injected into the DOM). There is currently no fix for this issue. | ||||
| CVE-2025-58794 | 2025-09-05 | 4.3 Medium | ||
| Cross-Site Request Forgery (CSRF) vulnerability in rainafarai Notification for Telegram allows Cross Site Request Forgery. This issue affects Notification for Telegram: from n/a through 3.4.6. | ||||
| CVE-2025-58827 | 2025-09-05 | 3.8 Low | ||
| Improper Control of Generation of Code ('Code Injection') vulnerability in PickPlugins Job Board Manager allows Code Injection. This issue affects Job Board Manager: from n/a through 2.1.61. | ||||
| CVE-2025-58829 | 2025-09-05 | 4.9 Medium | ||
| Server-Side Request Forgery (SSRF) vulnerability in aitool Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One allows Server Side Request Forgery. This issue affects Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One: from n/a through 2.2.6. | ||||
| CVE-2025-58846 | 2025-09-05 | 7.1 High | ||
| Cross-Site Request Forgery (CSRF) vulnerability in Dejan Markovic WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule allows Reflected XSS. This issue affects WordPress Buffer – HYPESocial. Social Media Auto Post, Social Media Auto Publish and Schedule: from n/a through 2020.1.0. | ||||
| CVE-2025-9990 | 2 Smackcoders, Wordpress | 2 Wordpress Helpdesk Integration, Wordpress | 2025-09-05 | 8.1 High |
| The WordPress Helpdesk Integration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.8.10 via the portal_type parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | ||||